By configuring Routing and Remote Access to act as a remote access server, you can connect remote or mobile workers to organization networks. Remote users can work as if their computers are physically connected to the network.
Users run remote access software and initiate a connection to the remote access server. The remote access server, which is a server running Routing and Remote Access, authenticates users and services sessions until terminated by the user or network administrator. All services typically available to a LAN-connected user (including file and print sharing, Web server access, and messaging) are enabled by means of the remote access connection.
Remote access clients use standard tools to access resources. For example, on a server running Routing and Remote Access, clients can use Windows Explorer to make drive connections and to connect to printers. Connections are persistent: Users do not need to reconnect to network resources during their remote sessions. Because drive letters and universal naming convention (UNC) names are fully supported by remote access, most commercial and custom applications work without modification.

A server running Routing and Remote Access provides two different types of remote access connectivity:

1. Dial-up networking

Dial-up networking is when a remote access client makes a nonpermanent, dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider such as analog phone, ISDN, or X.25. The best example of dial-up networking is that of a dial-up networking client who dials the phone number of one of the ports of a remote access server.
Dial-up networking over an analog phone or ISDN is a direct physical connection between the dial-up networking client and the dial-up networking server. You can encrypt data sent over the connection, but it is not required.
For more information, see The remote access server as a dial-up networking server.

2. Virtual private networking

Virtual private networking is the creation of secured, point-to-point connections across a private network or a public network such as the Internet. A virtual private networking client uses special TCP/IP-based protocols called tunneling protocols to make a virtual call to a virtual port on a virtual private networking server. The best example of virtual private networking is that of a virtual private networking client who makes a virtual private network connection to a remote access server that is connected to the Internet. The remote access server answers the virtual call, authenticates the caller, and transfers data between the virtual private networking client and the corporate network.
In contrast to dial-up networking, virtual private networking is always a logical, indirect connection between the virtual private networking client and the virtual private networking server over a public network such as the Internet. To ensure privacy, you must encrypt data sent over the connection.
For more information, see The remote access server as a virtual private networking server.

Virtual private networks

A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a virtual private network.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a virtual private network (VPN) connection.
The following illustration shows the logical equivalent of a VPN connection.

Users working at home or on the road can use VPN connections to establish a remote access connection to an organization server by using the infrastructure provided by a public network such as the Internet. From the user's perspective, the VPN is a point-to-point connection between the computer (the VPN client) and an organization server (the VPN server). The exact infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link.

Organizations can also use VPN connections to establish routed connections with geographically separate offices or with other organizations over a public network such as
the Internet while maintaining secure communications. A routed VPN connection across the Internet logically operates as a dedicated WAN link.

With both remote access and routed connections, an organization can use VPN connections to trade long-distance dial-up or leased lines for local dial-up or leased lines to an Internet serviceprovider (ISP).

The primary topology described in this document is a hub-and-spoke design, where the primary
enterprise resources are located in a large central site, with a number of smaller sites or branch offices
connected directly to the central site over a VPN. A high-level diagram of this topology is shown in

Introduction to IPsec

The IPsec standard provides a method to manage authentication and data protection between multiple
crypto peers engaging in secure data transfer. IPsec includes the Internet Security Association and Key
Management Protocol (ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol
(ESP) and Authentication Header (AH).
IPsec uses symmetrical encryption algorithms for data protection. Symmetrical encryption algorithms
are more efficient and easier to implement in hardware. These algorithms need a secure method of key
exchange to ensure data protection. Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide
this capability.
This solution requires a standards-based way to secure data from eavesdropping and modification. IPsec
provides such a method. IPsec provides a choice of transform sets so that a user can choose the strength
of their data protection. IPsec also has several Hashed Message Authentication Codes (HMAC) from
which to choose, each giving different levels of protection for attacks such as man-in-the-middle, packet
replay (anti-replay), and data integrity attacks.

Tunneling Protocols

Tunneling protocols vary in the features they support, the problems they are designed to solve, and the
amount of security they provide to the data being transported. The designs presented in this architecture
focus on the use of IPsec as a tunneling protocol alone, and IPsec used in conjunction with Generic Route
Encapsulation (GRE) and Virtual Tunnel Interfaces (VTI).
When used alone, IPsec provides a private, resilient network for IP unicast only, where support is not
required for IP multicast, dynamic IGP routing protocols, or non IP protocols. When support for one or
more of these features is required, IPsec should be used in conjunction with either GRE or VTI.
The p2p GRE over IPsec design allows for all three features described in the preceding paragraph, while
a DMVPN design or a VTI design fulfills only the IP multicast and dynamic IGP routing protocol
requirements.
Other possible tunneling protocols include the following:

The following sections describe the two IP protocols used in the IPsec standard: ESP and AH.

Encapsulating Security Protocol

The ESP header (IP protocol 50) forms the core of the IPsec protocol. This protocol, in conjunction with
an agreed-upon set of security parameters or transform set, protects data by rendering it indecipherable.
This protocol encrypts the data portion of the packet only and uses other protections (HMAC) for other
protections (data integrity, anti-replay, man-in-the-middle). Optionally, it can also provide for
authentication of the protected data illustrates how ESP

Authentication Header (AH)

The AH protocol (IP protocol 51) forms the other part of IPsec. The AH does not encrypt data in the
usual sense, by hiding the data, but it adds a tamper-evident seal to the data. It also protects the
non-mutable fields in the IP header carrying the data, which includes the address fields of the IP header.
The AH protocol should not be used alone when there is a requirement for data confidentiality.
illustrates how AH encapsulates an IP packet.

IPsec Modes

IPsec has the following two modes of forwarding data across a network:
 Tunnel mode
 Transport mode
Each differs in its application as well as in the amount of overhead added to the passenger packet. These
modes are described in more detail in the next two sections.

Tunnel Mode

Tunnel mode works by encapsulating and protecting an entire IP packet. Because tunnel mode
encapsulates or hides the IP header of the pre-encrypted packet, a new IP header is added so that the
packet can be successfully forwarded. The encrypting devices themselves own the IP addresses used in
this new header. These addresses can be specified in the configuration in Cisco IOS routers. Tunnel mode
can be employed with either or both IPsec protocols (ESP and AH). Tunnel mode results in additional
packet expansion of approximately 20 bytes because of the new IP header. Tunnel mode is widely
considered more secure and flexible than transport mode. IPsec tunnel mode encrypts the source and
destination IP addresses of the original packet, and hides that information from the unprotected network.
This helps prevent social engineering attacks.

IPsec Tunnel Mode

Transport Mode

IPsec transport mode works by inserting the ESP or AH header between the IP header and the next
protocol or the transport layer of the packet. Both IP addresses of the two network nodes whose traffic
is being protected by IPsec are visible in the IP header of the post-encrypted packet. This mode of IPsec
can be susceptible to traffic analysis attacks. However, because no additional IP header is added, it
results in less packet expansion. Transport mode can be deployed with either or both ESP and AH.
Transport mode can be used with p2p GRE over IPsec, because this design hides the addresses of the end
stations by adding their own IP header. If the source IP or destination IP address is an RFC 1918
compliant address, the packet cannot be transmitted over the public Internet, and these addresses cannot
transit a Network Address Translation (NAT) or Port Address Translation (PAT) device without
invalidating the HMAC of the crypto packet.
illustrates the expansion of the IP packet

Internet Key Exchange

To implement a VPN solution with encryption, periodic changing of session encryption keys is
necessary. Failure to change these keys makes the VPN susceptible to brute force decryption attacks.
IPsec solves the problem with the IKE protocol, which makes use of two other protocols to authenticate
a crypto peer and to generate keys. IKE uses a mathematical algorithm called a Diffie-Hellman exchange
to generate symmetrical session keys to be used by two crypto peers. IKE also manages the negotiation
of other security parameters such as the data to be protected, the strength of the keys, the hash methods
used, and whether the packets are protected from anti-replay. ISAKMP normally uses UDP port 500 as
both the source and destination port.

Security Association

A Security Association (SA) is an agreement between two peers engaging in a crypto exchange. This
agreement includes the type and strength of the encryption algorithm used to protect the data. The SA
includes the method and strength of the data authentication and the method of creating new keys for that
data protection. Crypto peers are formed as described in the following sections.
Each SA possesses a lifetime value for which an SA is considered valid. The lifetime value is measured
in the both time (seconds) and volume (byte count) and is negotiated at SA creation. These two lifetime
values are compared, and agreement is reached on the lower of the two. Under normal circumstances,
the lifetime value expires via time before the volume limit. Thus, if an interesting packet matches the SA
within the final 120 seconds of the lifetime value of an active SA, the crypto re-key process is typically
invoked. The crypto re-key process establishes another active SA before the existing SA is deleted. The
result is a smooth transition with minimum packet loss to the new SA.

ISAKMP Security Association

An ISAKMP SA is a single bi-directional secure negotiation channel used by both crypto peers to
communicate important security parameters to each other, such as the security parameters for the IPsec
SA (data tunnel).
In Cisco IOS, the ISAKMP SA policy has a default lifetime value of 86,400 seconds with no volume
limit.

IPsec Security Associations (Data Tunnel)

An IPsec SA is a uni-directional communication channel between one crypto peer to another. The actual
customer data traverses only an IPsec SA, and never over the ISAKMP SA. Each side of the IPsec tunnel
has a pair of IPsec SAs per connection; one to the remote, one from the remote. This IPsec SA pair
information is stored locally in the SA database.
In Cisco IOS, the IPsec SA policy has a default lifetime value of 3600 seconds with a 4,608,000 Kbytes
volume limit.

IKE Phase One

IKE Phase One is the initial negotiation of a bi-directional ISAKMP SA between two crypto peers, often
referred to as main mode. IKE Phase One begins with an authentication in which each crypto peer
verifies their identity with each other. When authenticated, the crypto peers agree upon the encryption
algorithm, hash method, and other parameters described in the following sections to build the ISAKMP
SA. The conversation between the two crypto peers can be subject to eavesdropping with minimal risk.IPsec VPN WAN Design Overview
OL-9021-01
IP Security Overview
of the keys being recovered. The ISAKMP SA is used by the IKE process to negotiate the security
parameters for the IPsec SAs. The ISAKMP SA information is stored locally in the SA database of each
crypto peer. Table 1 illustrates the various security parameters defined in the following sections.

Authentication Methods

IKE Phase One has three possible authentication methods: Pre-Shared Keys (PSK), Public Key
Infrastructure (PKI) using X.509 Digital Certificates, and RSA encrypted nonces. For the purpose of this
architecture, only PSK and PKI with X.509 Digital Certificates are described, but the design is feasible
with any of these authentication methods.

Pre-Shared Keys

PSKs are an administrative pre-defined key string in each crypto peer used to identify each other. Using
the PSK, the two crypto peers are able to negotiate and establish an ISAKMP SA. A PSK usually
contains a host IP address or subnet and mask that is considered valid for that particular PSK. A wildcard
PSK is special kind of PSK whose network and mask can be any IP address.

Public Key Infrastructure using X.509 Digital Certificates

An alternative to implementing PSK is the use of Public Key Infrastructure (PKI) with X.509 Digital
Certificates. Digital Certificates make use of a trusted third party, known as a certificate authority (CA),
to digitally sign the public key portion of the encrypted nonce.
Included with the certificate is a name, serial number, validity period, and other information that an IPsec
device can use to determine the validity of the certificate. Certificates can also be revoked, which denies
the IPsec device the ability to successfully authenticate.
Configuration and management of Digital Certificates is covered in detail in Digital Certification/PKI
for IPsec VPN Design Guide at the following URL: http://www.cisco.com/go/srnd.Table 1 ISAKMP SA Security Parameters13IPsec VPN WAN Design Overview
OL-9021-01
IP Security Overview

Encryption Algorithms

Crypto uses various encryption algorithms. At the core of the encryption algorithm is a shared secret key
to authenticate each peer. When authenticated, clear text data is fed into the algorithm in fixed-length
blocks and is converted to cipher text. The cipher text is transmitted to the crypto peer using ESP. The
peer receives the ESP packet, extracts the cipher text, runs it through the decryption algorithm, and
outputs clear text identical to that input on the encrypting peer.
Cisco IOS supports DES, 3DES, AES 128, AES 192, and AES 256 encryption algorithms, with DES
designated as the default.

Hashed Message Authentication Codes

The fundamental hash algorithms used by main mode are the cryptographically secure Message Digest
5 (MD5) and Secure Hash Algorithm 1 (SHA-1) hash functions. Hashing algorithms have evolved into
Hashed Message Authentication Codes (HMAC), which combine the proven security of hashing
algorithms with additional cryptographic functions. The hash produced is encrypted with the private key
of the sender, resulting in a keyed checksum as output.
Both MD5 and SHA-1 are supported within Cisco IOS, with SHA-1 designated as the default.

Diffie-Hellman Key Agreement

The Diffie-Hellman key agreement is a public key encryption method that provides a way for two crypto
peers to establish a shared secret key that only they know, while are communicating over an insecure
channel.
With the Diffie-Hellman key agreement, each peer generates a public and private key pair. The private
key generated by each peer is kept secret and never shared. The public key is calculated from the private
key by each peer and is exchanged over the insecure channel. Each peer combines the public key of the
other with its own private key, and computes the same shared secret number. The shared secret number
is then converted into a shared secret key. The shared secret key is never exchanged over the insecure
channel.
Diffie-Hellman Groups 1, 2, and 5 are supported within Cisco IOS. Group 1 is the default value, with a
key length of 768 bits. Group 2 has a key length of 1024 bits and Group 5 has a key length of 1536 bits.

IKE Phase One

IPsec NAT Transparency (NAT-T) introduces support for crypto peers to travel through NAT or PAT
points in the network by encapsulating crypto packets in a UDP wrapper, which allows packets to
traverse NAT devices. NAT-T was first introduced in Cisco IOS 12.2(13)T, and is enabled by default as
a global command. NAT-T is auto-negotiated between the two crypto peers during ISAKMP negotiation
with a destination UDP port of 4500. The source uses the next available higher port. When UDP port
4500 is used, the destination port moves to UDP port 4501, 4502, and so on, until an ISAKMP session
is established. NAT-T is defined in RFC 3947.

NAT Transparency (NAT Traversal)

IPsec NAT Transparency (NAT-T) introduces support for crypto peers to travel through NAT or PAT
points in the network by encapsulating crypto packets in a UDP wrapper, which allows packets to
traverse NAT devices. NAT-T was first introduced in Cisco IOS 12.2(13)T, and is enabled by default as
a global command. NAT-T is auto-negotiated between the two crypto peers during ISAKMP negotiation
with a destination UDP port of 4500. The source uses the next available higher port. When UDP port
4500 is used, the destination port moves to UDP port 4501, 4502, and so on, until an ISAKMP session
is established. NAT-T is defined in RFC 3947.

IKE Phase Two

In IKE Phase Two, the IPsec SAs are negotiated by the IKE process using the ISAKMP bi-directional
SA, often referred to as quick mode. The IPsec SAs are uni-directional in nature, causing a separate key
exchange for data flowing in each direction. One of the advantages of this strategy is to double the
amount of work required by an eavesdropper to successfully recover both sides of a conversation. During
the quick mode negotiation process, the crypto peers agree upon the transform sets, hash methods, and
other parameters. Table 2 illustrates the various security parameters.

IPsec VPN WAN Design Overview
OL-9021-01
IP Security Overview

Encryption Algorithms

As in main mode, quick mode uses an encryption algorithm to establish the IPsec SAs. The encryption
algorithm negotiated by the quick mode process can be the same or different from that in the main mode
process. Cisco IOS supports DES, 3DES, AES 128, AES 192,and AES 256 encryption algorithms, with
DES designated as the default.

Hashed Message Authentication Codes

As in main mode, quick mode uses an HMAC to establish the IPsec SAs. The HMAC negotiated by the
quick mode process can be the same or different from that in the main mode process. Both MD5 and
SHA-1 are supported within Cisco IOS, with SHA-1 designated as the default.

Perfect Forward Secrecy

If perfect forward secrecy (PFS) is specified in the IPsec policy, a new Diffie-Hellman exchange is
performed with each quick mode negotiation, providing keying material that has greater entropy (key
material life) and thereby greater resistance to cryptographic attacks. Each Diffie-Hellman exchange
requires large exponentiations, thereby increasing CPU use and exacting a performance cost.
Group 1 has a key length of 768 bits, Group 2 has a key length of 1024 bits, and Group 5 has a key length.

Domain Name System (DNS) is one of the industry-standard suite of protocols that comprise TCP/IP. DNS is implemented using two software components: the DNS server and the DNS client (or resolver). Both components are run as background service applications.
Network resources are identified by numeric IP addresses, but these IP addresses are difficult for network users to remember. The DNS database contains records that map user-friendly alphanumeric names for network resources to the IP address used by those resources for communication. In this way, DNS acts as a mnemonic device, making network resources easier to remember for network users.

WINS consists of two main components, the WINS server and WINS clients

The WINS server handles name registration requests from WINS clients, register their names and IP addresses, and responds to NetBIOS name queries submitted by clients, returning the IP address of a queried name if it is listed in the server database.

Also, as the following graphic shows, WINS servers can replicate the contents of their databases (which contain NetBIOS computer name mappings to IP addresses) to other WINS servers. When a WINS-enabled client computer (such as a workstation computer on either Subnet 1 or Subnet 2) starts on the network, its computer name and IP address are sent in a registration request directly to its configured primary WINS server, WINS-A. Because WINS-A is the server that registers these clients, it is said to be the owner for the records of the clients in WINS.

Primary/Secondary WINS servers

WINS servers are used by clients in one of two ways: either as a primary or secondary WINS server.
The difference between primary and secondary WINS servers is not based in any way on the servers (that for all functional purposes are the same in WINS). The difference occurs at the client which differentiates and orders the list of WINS servers when provided more than one WINS server to use.
For most cases, the client contacts the primary WINS server for all of its NetBIOS name service functions (name registration, name renewal, name release, and name query and resolution). The only case where secondary WINS servers are ever used is when the primary WINS server is either:
1. Unavailable on the network when the service request is made, or
2. Unable to resolve a name for the client (in the case of a name query).
In the case of a failure by the primary WINS server, the client requests the same service function from its secondary WINS servers. If more than two WINS servers are configured at the client, the additional WINS servers are tried until the list is exhausted or one of the secondary WINS server succeeds in processing and responding to the request. After a secondary WINS server is used, a client periodically tries to switch back to its primary WINS server for future service requests.
For most recent WINS clients (Windows XP and Windows 2000), a list of up to 12 secondary WINS servers can be configured (either manually through TCP/IP properties or dynamically by a DHCP server providing a list using DHCP option type 44). This feature is useful in an environment where there is a large number of mobile clients and Net BIOS-based resources, and services are used often. Because in these types of environments, the WINS database may not be consistent throughout the network of WINS servers because of convergence issues, it can be helpful for clients to be able to query more than two WINS servers.

Medical Transcription

"Excellence is not our motto, it is our minimum standard"

When accepting a position with global leaders, you accept the challenge of being part of a very specialized team representing the highest professional standards in the medical transcription industry.
We deal with reports of radiology, pathology, emergency rooms, physician offices and clinics throughout the United States. To those we serve, team members are a vital part of the company's ongoing success.
There can be no greater asset in the operational structure than the talents each individual brings to the organization. All positions held with Global Technology Services are unique parts of the operation as a whole. Contributions made by Global Technology Services team members, through their work and communications one with another, assists everyone in accomplishing both personal and professional goals.
We hear the lament of medical transcription providers questioning healthcare reform, afraid of the changes taking place in our industry, at Global Technology Services, we are not worried; we are challenged. We are not intimidated; we are empowered. There remains a strong need for quality, responsible transcription providers able to keep pace with technology while never forgetting to honor their customer and employee commitment We stand highlighted in the field of medical transcription is only because of STAT.

Welcome to Global Transcription Services. We offer custom digital dictation/transcription solutions catered to your environment. Our services are available throughout the United States with our corporate offices in Texas. We look forward to providing you with excellent service.
At Global Transcription Services, we pride ourselves on providing documents that are accurate, efficient and meet the unique needs of each one of our clients. We also work hard to develop long-term client relationships based on open communication and collaboration. We would like to take this opportunity to tell you why we should be your next transcription service.

Our Services:

Medical Transcription.
Business Transcription.
Nurses Transcription and all types of Transcription Works.
What We Offer For Our Customers:

Reliable, Worry-free Transcription

The point of out sourcing your transcription is so that you will no longer have to think about it. Once you have experienced our truly reliable, high quality service, transcription will be the last thing on your mind. Leave the worrying to us.

What we offer:

 Standard 24 hour turn around time transcription.
 Large staff of quality, transcriptionists to produce your reports.
 Full coverage. No worries about your transcriptionist being sick or on vacation.
 Personal service. Every client is equally important to us and it shows when you call.
 Technology: Solutions for everyone from single practices with one PC to complex dynamic workflow management and interfacing with electronic records.
 98% + accuracy.
 Special Screening of employees for their Track Record in Transcription industry and for any Criminal Records.

Dictation options:

 Dictate from any telephone to our Toll Free dictation line, available 24/7/365.
 Use a portable, handheld digital recorder.
 Continue to use your existing digital device (recorder, PDA, computer microphone)
 Combine any of these methods to meet your needs. We will take care of setting up your office and staff to upload digital dictation to our secure servers.

 By the line or by the page.
 Clearly defined so you can always verify your bill.
 No setup fees.
 Volume discounts available.
 Contracts available but not required. Try us. We are confident you will be happy with our service.

Web Develepment

We're specialized in developing website's that work. We've the proven experience and expertise in designing website that succeed by bringing in enquiries, which generate sales and are an asset to your business. As a website design company we offer a full-circle approach in website design & web development where the actual web designing effort covers only 40% of the entire project pie; our website designing services covers strategic planning, business intelligence, creative, application development, product / service promotion & solution maintenance. Most of our time goes in understanding your business objectives, defining the problem and finally designing the best possible solution. Your website can offer you the best return for your investment, if done correctly.

We understand the every company has a unique requirement when it comes to web designing. Where our responsibility is to project that uniqueness and make the website stand out from its competition. Unlike a run-of-the-mill website designing we make it a point to deliver a distinctive look to your website. Our web designing experts ensures that your website is search engine friendly, aesthetically appealing and user friendly. The quality of our clients accounts set us apart from our competitors and establishes our domain supremacy in USA and India.

Global Technology Services differentiates itself from its competitors, marked by an uncompromised commitment to on-time completion and a strict focus on cost management.

Mainly our clients are based in USA and India. Our software department offers you solutions that confer you with a capacity to save upon time and money. With these software solutions, you just need to input data which required and share it across several functional departments seamlessly. Not only this, you can even automate warehouse and inventory process along with billing and accounting processes there by saving your time and money.

we delve into all the major aspects of healthcare, hotels, financial accounting, inventory management system, school management system ERP( Enterprise Resource Management) etc. With professionals who are experts in their fields and are abreast with the latest in technology makes us unique in the IT Industry.